You are here
Attack spreads to US, India, Australia but damage is limited
THE new ransomware attack that hit computers first in the Ukraine and Russia late on Tuesday and then spread to the US, Middle East, India and Australia used the malware code "Eternal Blue" which, cybersecurity experts widely believe, was stolen from the US National Security Agency (NSA). In this respect, it bears a lot of similarities to the WannaCry malware that affected more than 200,000 computers in May. However, unlike WannaCry, the new ransomware has not, as yet, spread as widely and infected as many computers with a report from Kaspersky Lab suggesting that around 2,000 computers were infected at the time of going to press.
Security experts noted that the ransomware, named Petya, caused serious disruption at a number of large firms around the world, after spreading out from Russia and the Ukraine, first to Western Europe and then on to the US, Middle East and Asia. Firms affected include the advertising giant WPP, French construction materials company Saint-Gobain, Russian steel and oil firms Evraz and Rosneft, US pharmaceutical major Merck, and the Maersk Group-owned APM Terminals at India's biggest port, Jawaharlal Nehru Port Trust, in Mumbai. The shipping giant's operations were affected around the world.
In Australia, global law firm DLA Piper informed its Australian staff that it had been the victim of a "major cyber incident". The Cadbury chocolate factory in Hobart was also affected.
Tony Jarvis, Check Point Software's Asia-Pacific, Middle East and Africa chief strategist, told The Business Times, that although there weren't any publicly known or reported cases of the Petya ransomware in Singapore yet, "there may be reports as the day moves along (similar to what happened to the previous WannaCry ransomware situation in Singapore)".
Mr Jarvis added: "Unlike WannaCry, Petya disables the user access to the entire disk (technically by encrypting the Master Boot Record or MBR) rather than what WannaCry did with encrypting individual files. This means that a computer infected by Petya will not boot up unless the decryption key is present.
"And we know because the Petya ransomware does not have a 'kill switch' like WannaCry, it cannot be shut down unless a decryption key is found. And since the e-mail server hosting the singular e-mail address for the decryption key has been shut down, there is no way for users to recover their data. Furthermore, Petya leverages on multi-mode infection methods, including remote access and Microsoft Office documents. This makes Petya much more permeating and insidious compared to the similar WannaCry."
Verizon's 2017 Data Breach Investigations Report noted that ransomware is the fifth most common form of malware and the most common in the crimeware pattern. The report added: "For the attacker, holding files for ransom is fast, low risk and easily monetisable, especially with Bitcoin to collect anonymous payment."
Security experts were of the opinion that this latest attack, like the previous WannaCry attack, was staged by relatively inexperienced ransomware attackers. Wally Lee, senior vice-president and principal cyber architect at security company Quann, noted that Petya is not new - "just a new strain of the ransomware, which has been in existence since 2016".
While most security experts agree that this particular strain of ransomware is related to the Petya strain, cybersecurity company Kaspersky Lab issued a rather cryptic release in which it said the company's preliminary findings suggested that it was not a variant of Petya ransomware but a new ransomware that has not been seen before. For that reason the security company has named it NotPetya.
Steve McGregory, Ixia's senior director of application threat intelligence noted: "From what we've seen, we don't believe this is nation-state related."
It's important to note that since the Shadow Brokers' NSA leaks of nation-state level cyber weapons, like Eternal Blue, the use of WannaCry and the current ransomware campaign "are the equivalent of sophomore college students getting their masters' degrees in a matter of weeks", he added.
Matt Moynahan, CEO of Forcepoint, however, added: "The latest ransomware attacks are demonstrating just how vulnerable critical infrastructure is by hitting railways, airports, hospitals and more. The lines between nation-state defence and commercial defence continues to blur."
Nick Savvides, security advocate at Symantec said: "We see that cyber-attackers are compromising businesses and individuals in Asia with continued success.
"While the threat may have started in Eastern Europe, it has quickly spread across the world in a short amount of time. However, we can expect that most victims would choose not to publicly disclose if they have been affected, keeping in line with the chronic under-reporting of cybercrime trends."